diff --git a/kubernetes/app/pihole/configmap-adlists.yaml b/kubernetes/app/pihole/configmap-adlists.yaml
index c60b07a..ca2189a 100644
--- a/kubernetes/app/pihole/configmap-adlists.yaml
+++ b/kubernetes/app/pihole/configmap-adlists.yaml
@@ -13,3 +13,6 @@ data:
     https://raw.githubusercontent.com/braveinnovators/ukrainian-security-filter/main/lists/domains.txt
     # Phishing Army Extended
     https://phishing.army/download/phishing_army_blocklist_extended.txt
+  unfiltered-clients.txt: |
+    # Clients without ad blocking (one per line, use IP — PiHole matches by IP, not hostname)
+    10.127.0.10
diff --git a/kubernetes/app/pihole/deployment.yaml b/kubernetes/app/pihole/deployment.yaml
index 54f5a64..9d24555 100644
--- a/kubernetes/app/pihole/deployment.yaml
+++ b/kubernetes/app/pihole/deployment.yaml
@@ -74,9 +74,14 @@ spec:
                       done
                       grep -v '^#\|^$' /etc/pihole-adlists/adlists.txt | while read -r url; do
                         curl -s -X POST "http://localhost/api/lists?type=block&sid=$SID" \
-                          -d "{\"address\":\"$url\"}" > /dev/null
+                          -d "{\"address\":\"$url\"}"
                       done
-                      curl -s -X POST "http://localhost/api/action/gravity?sid=$SID" > /dev/null
+                      grep -v '^#\|^$' /etc/pihole-adlists/unfiltered-clients.txt | while read -r client; do
+                        curl -s -X POST "http://localhost/api/clients?sid=$SID" \
+                          -d "{\"client\":\"$client\",\"groups\":[]}"
+                      done
+                      # NOTE: gravity must be last — it blocks until complete and may outlive the SID
+                      curl -s -X POST "http://localhost/api/action/gravity?sid=$SID"
                     ) &
           volumeMounts:
             - name: pihole-config